sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

SSH and webserver over Internet. Is my setup vulnearable?

Thu Nov 29, 2012 8:19 am

Hello,

After bit of research I was able to setup SSH over internet and also a webserver with no-ip. Below is my setup.

My ISP provides dynamic ip only. So I decided to register an account with no-ip.org and also registered a hostname with them.
Installed no-ip agent on the raspberry pi and set the interval as 30 (don't know if its minutes or seconds).
Installed Apache.
On the Router I forwarded port 22 (for ssh) and 80 (for webserver) with my raspberry pi's LAN static ip.
Now i am able to launch my website <site>.no-ip.org and ssh in to <site>.no-ip.org from external network.

I have set up key based authentication.
I have modified /etc/ssh/sshd_config and made 'PasswordAuthentication no'
I have setup a banner for ssh.
Changed pi and root account passwords to something complex (no dictionary work, include numeric and capitals)

With above setup is my pi and LAN reasonably secure?

Thanks,
Simon Mandy
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)

Heater
Posts: 13124
Joined: Tue Jul 17, 2012 3:02 pm

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 8:33 am

Sounds like you have done the best you can with SSH.

Now the next thing to worry about is Apache.

Serving up static web pages is perhaps safe as houses. Except perhaps if you inadvertently allow apache to server all and every file on the machine.

If you get into server side scripting and user logins and so on and so on then you have to worry about how safe all that is.

adlambert

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 8:36 am

Security is always a balance between admin overhead and the sensitivity/value of what you are trying to protect. If you are protecting a hobbyist Pi setup then you I would say you have done sufficient, as long as your SD image is backed up for rapid replacement in the event that someone decides to do damage out of spite. If, on the other hand, you were holding (hypothetically) credit card details then you are unlikely get far up the PCI DSS requirements.

I have a PI and tightVNCServer with VNC tunnelled over SSH, and more than once there has been attempts to connect to VNC by brute force attack (VNC stops accepting login attempts until rebooted). I've done no more than you to harden, and there have been no successful attacks.

User avatar
joan
Posts: 14200
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 8:43 am

You are now probably more secure than most UK government departments. Remember to keep your software updated (so that security patches are applied in a timely fashion).

999frogs
Posts: 25
Joined: Thu Dec 22, 2011 1:57 pm

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 9:47 am

Many security guides advise changing the ssh port from 22 to something non standard

sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 10:32 am

999frogs wrote:Many security guides advise changing the ssh port from 22 to something non standard
I read about that a lot in the forum.
If i change the port from 22 how do I connect using putty? Put the hostname and mention the port in the next tab?
Can someone here tell me how to change the port? Is it again through /etc/ssh/sshd_config?
What other port i can use?
How can I know if that port is not utilized by some other applications in my LAN or other systems?
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)

adlambert

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 10:48 am

You can detect what ports are in use by using the netstat command, and just pick an unused one that isn't usually part of a standard service.

Putty has a box to configure a port number when you set up the basic session options.

I haven't bothered to change from port 22 because even the most inexperienced hacker will find where SSH is using nmap.

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 10:52 am

I believe it simply stops bots , which are a major nuisiance.
I don't think that there is anything which stops a targeted attack backed by enough money , knowledge and time.


ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 11:02 am

ghans wrote:I believe it simply stops bots , which are a major nuisiance.
I don't think that there is anything which stops a targeted attack backed by enough money , knowledge and time.


ghans
In my /var/log/auth.log I see so many attempts to connect using random usernames from same ip adress or from the same pool.
Is that done using bots?
Will that get reduced if I change the port?
Again is ssh port changed through /etc/ssh/sshd_config?
Also by looking at the auth.log is there a way we can check if one of the attempt was successfull or not?
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 11:07 am

Yes, yes, try man sshd.conf at the terminal , yes something like "bye" directly after trying to log in.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org


sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Thu Nov 29, 2012 12:59 pm

I changed by port to something random, I will monitor auth.log for any more attempts.
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)


sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Fri Nov 30, 2012 2:39 pm

There is a small issue.
As described in the beginning, I have no-ip agent running on my pi and in my router I have forwarded port 80 of my pi's static LAN ip. Also have Apache running on pi on port 80.

Issue, is from my LAN if I try to access my <hostname>.no-ip.org I get my router login page. From outside my LAN <hostname>.no-ip.org works and land on my index.html which is on my pi.

Any thoughts?
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)

User avatar
Dweeber
Posts: 606
Joined: Fri Aug 17, 2012 3:35 am
Location: Mesa, AZ
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Fri Nov 30, 2012 2:55 pm

On your workstation create an entry in it's hosts file for the hostname and point it to the local IP
Dweeber A.K.A. Kevin...
My RPI Info Pages including Current Setup - http://rpi.tnet.com

sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Fri Nov 30, 2012 3:02 pm

Dweeber wrote:On your workstation create an entry in it's hosts file for the hostname and point it to the local IP
I was thinking about changing the port of Apache to 8081 and forward that port in router. Will that fix the issue?
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)

User avatar
Mursili
Posts: 28
Joined: Fri Nov 23, 2012 2:12 am

Re: SSH and webserver over Internet. Is my setup vulnearable

Sat Dec 01, 2012 1:35 am

I am not sure which issue you are working to fix at this time.

It has been a while, but I completely cut out failed authentication attempts when I switched the ssh port to 443 (which is normally used for https). When my sshd was listening on port 22 I got several attempts a day. I have a friend that said that he once could not get to his machine on port 443 from some hotels when he was traveling, but I have not encountered that (then again, I have not tried too many times).

Using another port for your web server will make it more difficult to connect to the server. I suppose it depends on who you want looking at the pages that you host there. It would simply take including the port in the link to your site. I have little knowledge about the security of web servers and instead serve any pages that I need using Google APIs (which costs a little bit monthly).

sim_tcr
Posts: 326
Joined: Tue Nov 06, 2012 1:01 pm
Location: Bangalore
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Sat Dec 01, 2012 2:30 am

Mursili wrote:I am not sure which issue you are working to fix at this time.

It has been a while, but I completely cut out failed authentication attempts when I switched the ssh port to 443 (which is normally used for https). When my sshd was listening on port 22 I got several attempts a day. I have a friend that said that he once could not get to his machine on port 443 from some hotels when he was traveling, but I have not encountered that (then again, I have not tried too many times).

Using another port for your web server will make it more difficult to connect to the server. I suppose it depends on who you want looking at the pages that you host there. It would simply take including the port in the link to your site. I have little knowledge about the security of web servers and instead serve any pages that I need using Google APIs (which costs a little bit monthly).
Even I don't face any remote attempts (not even a single attempt) to connect my pi via ssh after I changed my ssh to a random port.

What I am trying to fix here is, when I try to launch my website (which is hosted on my pi) from my LAN, I see my router's login page. From outside my LAN, it work well.
http://raspisimon.no-ip.org
Raspberry Pi Model B x 2, Raspberry Pi 2 x 2, Transcend 32GB Class 10, Transcend 16GB Class 10, Transcend 8GB Class 4, Custom 12V 1.5A (stepped down to 5.5V)

User avatar
Dweeber
Posts: 606
Joined: Fri Aug 17, 2012 3:35 am
Location: Mesa, AZ
Contact: Website

Re: SSH and webserver over Internet. Is my setup vulnearable

Sat Dec 01, 2012 4:28 am

sim_tcr wrote: What I am trying to fix here is, when I try to launch my website (which is hosted on my pi) from my LAN, I see my router's login page. From outside my LAN, it work well.
Again... the easiest solution for that is a simple hosts file entry. You point it to the IP of the pi. when you use your web browser using the hostname that outside users would use, it tells your browser to use that IP instead. Uses the same port etc...

Example on my workstation:

Code: Select all

192.168.1.146	rpi.no-ip.org
On the workstation when I use http://rpi.no-ip.org the browser goes to 192.168.1.146 instead of whatever the DNS for it is outside the network.

Obviously you change the hostname to be that of what you are using. I don't use the no-ip service personally, but it doesn't matter what you are using.
Dweeber A.K.A. Kevin...
My RPI Info Pages including Current Setup - http://rpi.tnet.com

Return to “General discussion”